doipjs/src/openpgp.js

/*
Copyright 2021 Yarmo Mackenbach

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
import axios, * as axiosMod from 'axios'
import { isUri } from 'valid-url'
import { readKey, PublicKey } from 'openpgp'
import HKP from '@openpgp/hkp-client'
import WKD from '@openpgp/wkd-client'
import { Claim } from './claim.js'
import { ProfileType, PublicKeyEncoding, PublicKeyFetchMethod, PublicKeyType } from './enums.js'
import { Profile } from './profile.js'
import { Persona } from './persona.js'

/**
 * Functions related to OpenPGP Profiles
 * @module openpgp
 */

/**
 * Fetch a public key using keyservers
 * @function
 * @param {string} identifier - Fingerprint or email address
 * @param {string} [keyserverDomain] - Domain of the keyserver
 * @returns {Promise<Profile>} The profile from the fetched OpenPGP key
 * @example
 * const key1 = doip.keys.fetchHKP('alice@domain.tld');
 * const key2 = doip.keys.fetchHKP('123abc123abc');
 * const key3 = doip.keys.fetchHKP('123abc123abc', 'pgpkeys.eu');
 */
export async function fetchHKP (identifier, keyserverDomain = 'keys.openpgp.org') {
  const keyserverBaseUrl = `https://${keyserverDomain ?? 'keys.openpgp.org'}`

  const hkp = new HKP(keyserverBaseUrl)
  const lookupOpts = {
    query: identifier
  }

  const publicKeyArmored = await hkp
    .lookup(lookupOpts)
    .catch((error) => {
      throw new Error(`Key does not exist or could not be fetched (${error})`)
    })

  if (!publicKeyArmored) {
    throw new Error('Key does not exist or could not be fetched')
  }

  const publicKey = await readKey({
    armoredKey: publicKeyArmored
  })
    .catch((error) => {
      throw new Error(`Key could not be read (${error})`)
    })

  const profile = await parsePublicKey(publicKey)
  profile.publicKey.fetch.method = PublicKeyFetchMethod.HKP
  profile.publicKey.fetch.query = identifier

  return profile
}

/**
 * Fetch a public key using Web Key Directory
 * @function
 * @param {string} identifier - Identifier of format 'username@domain.tld`
 * @returns {Promise<Profile>} The profile from the fetched OpenPGP key
 * @example
 * const key = doip.keys.fetchWKD('alice@domain.tld');
 */
export async function fetchWKD (identifier) {
  const wkd = new WKD()
  const lookupOpts = {
    email: identifier
  }

  const publicKeyBinary = await wkd
    .lookup(lookupOpts)
    .catch((/** @type {Error} */ error) => {
      throw new Error(`Key does not exist or could not be fetched (${error})`)
    })

  if (!publicKeyBinary) {
    throw new Error('Key does not exist or could not be fetched')
  }

  const publicKey = await readKey({
    binaryKey: publicKeyBinary
  })
    .catch((error) => {
      throw new Error(`Key could not be read (${error})`)
    })

  const profile = await parsePublicKey(publicKey)
  profile.publicKey.fetch.method = PublicKeyFetchMethod.WKD
  profile.publicKey.fetch.query = identifier

  return profile
}

/**
 * Fetch a public key from Keybase
 * @function
 * @param {string} username - Keybase username
 * @param {string} fingerprint - Fingerprint of key
 * @returns {Promise<Profile>} The profile from the fetched OpenPGP key
 * @example
 * const key = doip.keys.fetchKeybase('alice', '123abc123abc');
 */
export async function fetchKeybase (username, fingerprint) {
  const keyLink = `https://keybase.io/${username}/pgp_keys.asc?fingerprint=${fingerprint}`
  let rawKeyContent
  try {
    rawKeyContent = await axios.get(
      keyLink,
      {
        responseType: 'text'
      }
    )
      .then((/** @type {axiosMod.AxiosResponse} */ response) => {
        if (response.status === 200) {
          return response
        }
      })
      .then((/** @type {axiosMod.AxiosResponse} */ response) => response.data)
  } catch (e) {
    throw new Error(`Error fetching Keybase key: ${e.message}`)
  }

  const publicKey = await readKey({
    armoredKey: rawKeyContent
  })
    .catch((error) => {
      throw new Error(`Key does not exist or could not be fetched (${error})`)
    })

  const profile = await parsePublicKey(publicKey)
  profile.publicKey.fetch.method = PublicKeyFetchMethod.HTTP
  profile.publicKey.fetch.query = null
  profile.publicKey.fetch.resolvedUrl = keyLink

  return profile
}

/**
 * Get a public key from armored public key text data
 * @function
 * @param {string} rawKeyContent - Plaintext ASCII-formatted public key data
 * @returns {Promise<Profile>} The profile from the armored public key
 * @example
 * const plainkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
 *
 * mQINBF0mIsIBEADacleiyiV+z6FIunvLWrO6ZETxGNVpqM+WbBQKdW1BVrJBBolg
 * [...]
 * =6lib
 * -----END PGP PUBLIC KEY BLOCK-----`
 * const key = doip.keys.fetchPlaintext(plainkey);
 */
export async function fetchPlaintext (rawKeyContent) {
  const publicKey = await readKey({
    armoredKey: rawKeyContent
  })
    .catch((error) => {
      throw new Error(`Key could not be read (${error})`)
    })

  const profile = await parsePublicKey(publicKey)

  return profile
}

/**
 * Fetch a public key using an URI
 * @function
 * @param {string} uri - URI that defines the location of the key
 * @returns {Promise<Profile>} The profile from the fetched OpenPGP key
 * @example
 * const key1 = doip.keys.fetchURI('hkp:alice@domain.tld');
 * const key2 = doip.keys.fetchURI('hkp:123abc123abc');
 * const key3 = doip.keys.fetchURI('wkd:alice@domain.tld');
 */
export async function fetchURI (uri) {
  if (!isUri(uri)) {
    throw new Error('Invalid URI')
  }

  const re = /([a-zA-Z0-9]*):([a-zA-Z0-9@._=+-]*)(?::([a-zA-Z0-9@._=+-]*))?/
  const match = uri.match(re)

  if (!match[1]) {
    throw new Error('Invalid URI')
  }

  switch (match[1]) {
    case 'hkp':
      return await fetchHKP(
        match[3] ? match[3] : match[2],
        match[3] ? match[2] : null
      )

    case 'wkd':
      return await fetchWKD(match[2])

    case 'kb':
      return await fetchKeybase(match[2], match.length >= 4 ? match[3] : null)

    default:
      throw new Error('Invalid URI protocol')
  }
}

/**
 * Fetch a public key
 *
 * This function will attempt to detect the identifier and fetch the key
 * accordingly. If the identifier is an email address, it will first try and
 * fetch the key using WKD and then HKP. Otherwise, it will try HKP only.
 *
 * This function will also try and parse the input as a plaintext key
 * @function
 * @param {string} identifier - URI that defines the location of the key
 * @returns {Promise<Profile>} The profile from the fetched OpenPGP key
 * @example
 * const key1 = doip.keys.fetch('alice@domain.tld');
 * const key2 = doip.keys.fetch('123abc123abc');
 */
export async function fetch (identifier) {
  const re = /([a-zA-Z0-9@._=+-]*)(?::([a-zA-Z0-9@._=+-]*))?/
  const match = identifier.match(re)

  let profile = null

  // Attempt plaintext
  try {
    profile = await fetchPlaintext(identifier)
  } catch (e) {}

  // Attempt WKD
  if (!profile && identifier.includes('@')) {
    try {
      profile = await fetchWKD(match[1])
    } catch (e) {}
  }

  // Attempt HKP
  if (!profile) {
    profile = await fetchHKP(
      match[2] ? match[2] : match[1],
      match[2] ? match[1] : null
    )
  }

  if (!profile) {
    throw new Error('Key does not exist or could not be fetched')
  }

  return profile
}

/**
 * Process a public key to get a profile
 * @function
 * @param {PublicKey} publicKey - The public key to parse
 * @returns {Promise<Profile>} The profile from the processed OpenPGP key
 * @example
 * const key = doip.keys.fetchURI('hkp:alice@domain.tld');
 * const profile = doip.keys.parsePublicKey(key);
 * profile.personas[0].claims.forEach(claim => {
 *   console.log(claim.uri);
 * });
 */
export async function parsePublicKey (publicKey) {
  if (!(publicKey && (publicKey instanceof PublicKey))) {
    throw new Error('Invalid public key')
  }

  const fingerprint = publicKey.getFingerprint()
  const primaryUser = await publicKey.getPrimaryUser()
  const users = publicKey.users
  const personas = []

  users.forEach((user, i) => {
    if (!user.userID) return

    const pe = new Persona(user.userID.name, [])
    pe.setIdentifier(user.userID.userID)
    pe.setDescription(user.userID.comment)
    pe.setEmailAddress(user.userID.email)

    if ('selfCertifications' in user && user.selfCertifications.length > 0) {
      const selfCertification = user.selfCertifications.sort((e1, e2) => e2.created.getTime() - e1.created.getTime())[0]

      if (selfCertification.revoked) {
        pe.revoke()
      }
      const notations = selfCertification.rawNotations
      pe.claims = notations
        .filter(
          ({ name, humanReadable }) =>
            humanReadable && (name === 'proof@ariadne.id' || name === 'proof@metacode.biz')
        )
        .map(
          ({ value }) =>
            new Claim(new TextDecoder().decode(value), `openpgp4fpr:${fingerprint}`)
        )
    }

    personas.push(pe)
  })

  const profile = new Profile(ProfileType.OPENPGP, `openpgp4fpr:${fingerprint}`, personas)
  profile.primaryPersonaIndex = primaryUser.index

  profile.publicKey.keyType = PublicKeyType.OPENPGP
  profile.publicKey.fingerprint = fingerprint
  profile.publicKey.encoding = PublicKeyEncoding.ARMORED_PGP
  profile.publicKey.encodedKey = publicKey.armor()
  profile.publicKey.key = publicKey

  return profile
}